Classification

Category :

Malware

Type :

-

Aliases :

Morbex, I-Worm.Morbex, W32/Morb.A@mm

Summary

Morbex is a worm that spreads using multiple methods, including email, IRC, MSN Messenger and Kazaa file sharing. When infecting the system this worm drops an SdBot based IRC trojan also. Email addresses are collected from the user's Microsoft Outlook and Outlook Express Inbox.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm was written using Borland Delphi and is around 55 kilobytes in size. Morbex features several infection vectors:

Mass-mailing

The worm uses the Microsoft Mail API to collect email addresses where it sends infected messages with the following characteristics:

Subjects:

 'Check this out'
'This is what you wanted, right?'
'Microsoft Windows Security Update'
'See if you can get this to work'
'I admit it ... I love you'
'S*x me up baby'
'This is so funny'
'To be or not to be?'
'B-ville did it again ...'
'Company information'

Bodies:

 'Here you go, I recall you asked for this.'
'Hey sweety, check the attachment.'
'How do you feel about this?'
'Please do not make this public, thank you.'
'Please install this update, its required'
'Come on honey!'
'I love this funny game, check it out.'
'This is the stock information you wanted.'
'Keep it a secret please!'
'With love from b-ville!'

Attachments:

 'Q349247.exe'
'information.DOC.exe'
'Saddam_Game.exe'
'I_Love_U.exe'
'NakedPics.JPG.exe'
'FreeS*x.exe'
'B-ville.exe'
'StockInformation.XLS.exe'
'SecretFile.exe'
'Attachement.exe'

Spreading through MSN Messenger and IRC

Morbex has a built-in web server that listens on port 81 on the infected computer. This web server serves a simple web page trying to fool the visitor to believe that it contains a browser plug-in that needs to be installed.

The web server serves files from a directory called 'services' located in the Windows directory. This directory contains two files, 'index.html' and 'setup.exe', both of them dropped by the worm.

Morbex modifies the ini file of mIRC so that the client will send messages to users who join the channel where the worm infected IRC client is present.

The worm also looks for ongoing discussions in MSN Messenger and plants there messages including a link to itself.

The messages are chosen from a predefined list of messages in the worm body, and the URL to the worm is appended to them. The following messages are listed:

 'Check this out, '
'btw, download this, '
'I wanted to show you this, '
'please check out, '
'hey go to, '
'See if you can get this to work, '
'this is cool, '
'this is funny, '
'Free p*rn at '
'lol, '
'is this you? '
'whats this? '
'This is me, '
'Whats wrong with? '
'wtf? '
'hmmmm, '
'Hahaha, '
'F*ck this, '
'weird, '
'HOLY SH*T, '
'WOW CHECK THIS OUT, '
'omg omg omg I found the best app, '
'What have they done with you? '
'Is this possible? '
'rofl, '
'b*tch ;), '
'How come this happened? '
'This is me naked, '
'S*x me up '
'This guy is a moron, '

Users who visit the URL see a web page served by the worm's own web server.

Spreading through Kazaa

If Morbex finds that the Kazaa file sharing client is installed on the computer it creates a directory called 'explorer' under the Windows directory and add it to Kazaa shared directories. It populates the directory with copies of itself using many catchy filenames:

 'Unreal 2 - The Awakening.exe'
'Command & Conquer Generals.exe'
'Splinter Cell.exe'
'Warcraft III - The Frozen Throne.exe'
'Gods & Generals.exe'
'Unreal 2 Crack.exe'
'Command & Conquer Generals Crack.exe'
'Gods & Generals Crack.exe'
'The Sims 4.exe'
'The Sims 4 Crack.exe'
'Splinter Cell Crack.exe'
'Raven Shield - Crack.exe'
'Raven Shield Keygenerator - WORKS ONLINE.exe'
'Mortal Kombat - Deadly Alliance.exe'

System infection

When Morbex enters the system it copies itself to the Windows directory using the name 'svchost.exe'. This copy is then added to the registry as

 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svchost'

to ensure that the worm is started when the computer starts.

The worm drops an SdBot based trojan to Windows directory as 'msapi.exe' and runs it.

F-Secure Anti-Virus with the latest updates detects both this worm and the trojan it drops.